Managed Threat Detection and Response

Lately, we can’t help noticing an endless cycle where the more enterprises invest in threat prevention; the more hackers adapt and continue to penetrate enterprises.

To make things worse, detecting these penetrations still takes too long with an average dwell time that exceeds 100 (!) days.

To keep the enterprise protected, IT needs to figure out a way to break this endless cycle without purchasing complex security and data analysis tools and hiring the right (skilled and expensive) security professionals to operate them.

Enter MDR

An advanced security service, Managed Detection and Response (MDR), provides ongoing threat detection and response, leveraging AI and machine learning to investigate, alert, and contain threats.

MDR is becoming popular and gaining traction. In fact, Gartner forecasts that by 2024, 25% of organizations will be using MDR services, up from less than 5% today. And by 2024, 40% of midsize enterprises will use MDR as their only managed security service (source: Gartner’s Market Guide for Managed Detection and Response Services Published 15 July 2019 – ID G00367208).

MDR is the industry’s hope to break the cycle of adding more and more threat prevention tools, as hackers continuously increase their attack capabilities. Yet, to gain visibility into all network traffic – critical for effective detection and response – traditional MDR services require installing dedicated software and hardware across an enterprise’s network.

This deployment model is expensive and complex, causing many companies to put off implementing MDR services while leaving their network at risk.

Houston, we have a triple problem

1 — Every enterprise is a target for hackers, regardless of its size or type of business. According to Verizon’s 2019 Data Breach Investigations Report (DBIR), 43% of breaches involved small business victims; 10% were breaches of the Financial Industry, and 15% were breaches involving Healthcare organizations.

2 — On top of that, enterprises need always to assume the worst, as Gartner states clearly, “The assumption must be that the organization will be compromised, that the hacker’s ability to penetrate systems is never fully countered. Continuous monitoring of systems and behavior is the only way to reliably detect threats before it is too late.”

3 — As a result, enterprises must continuously stand guard, presenting a huge challenge for IT in terms of resources and in-house skills. Furthermore, according to the DBIR, “56% of breaches took months or longer to discover,” which during this long dwell time the malware distributes itself, spreads throughout the enterprise, and when activated, the damage caused is multiplied.

In short, if all enterprises are targets, and must always assume they’re under attack, then IT needs to be watching 24/7. Hmmm, does this sound impractical to anyone else?

Okay, we’ve had a problem – meet Cato MDR

Cato MDR is incorporated into Cato’s SASE platform, overcoming the complications of traditional MDR. Cato aims to break the endless cycle of increasing threats and lurking hackers. How? By enabling customers that use Cato Cloud, to offload the resource-intensive and skill-dependent process of detecting compromised endpoints, to its SOC team. The team has instant, clear visibility to all traffic, and there’s no need for customers to deploy any additional network probes or software agents.

Cato automatically collects, indexes, and stores the metadata of every WAN and Internet traffic flow traversing the Cato Cloud. Data aggregation and machine learning algorithms mine the full network context of Cato’s huge data warehouse, detecting any malware indicators across customer networks. Cato’s SOC team assesses the traffic flaws and alerts customers on any active threats.

A sneak peek behind the scenes

Cato claims that its MDR service stands guard for customers, and dwell time is reduced from months to just 1-2 days. We had to get a closer look to understand, if and how this is possible. Here’s what we found.

Cato’s MDR service delivers these key capabilities:

  • Zero-footprint data collection: Cato can access all relevant information for threat analysis since it already serves as the customer’s network platform (remember, Cato MDR is integrated into Cato’s SASE platform). This eliminates the need for any further installations, and all that’s left for customers is to subscribe to the service.
  • Automated threat hunting: Cato uses big data and machine learning algorithms to mine the network for suspicious flows, which are based on the many flow attributes available to Cato. These include accurate client application identification, geolocation, risk assessment of the destination based on IP, URL category, URL name structure, frequency of access, and more.
  • Human verification: Cato’s SOC team inspects suspicious flows on a daily basis, closing the investigation for benign traffic.
  • Network-level threat containment: Cato alerts customers in case of a verified threat, and based on a predefined policy, will apply network-level threat containment by blocking the network traffic.
  • Guided remediation: Cato provides the context of threats for IT’s further reference and recommends the actions to be taken for remediation.

Additional cool capabilities

Multi-dimensional approach:
Cato has full visibility into all network traffic. From each network flow that passes through its MDR service, Cato extracts and collects metadata on the following:

  • Source – Cato distinguishes between human and non-human traffic, client type, OS data,
  • and more.
  • Destination – Cato sees the popularity, category, and reputation.
  • Behavior – Cato knows the traffic patterns, such as frequency and volume of data.

Cato then stores all this metadata in its big data repository.

Cato's unique multi-dimensional approach
Cato’s unique multi-dimensional approach

Threat hunting:

We zoomed into Cato’s threat hunting technology and learned that Cato reduces a daily quantity of millions of flows down to only 10-20 flows, which need actually to be investigated by its SOC team. The team then reviews the list and makes sure customers are only notified of confirmed threats that need attention. This eliminates what we all dread – false positives.

Threat hunting – from millions of events to a meaningful, actionable item
Threat hunting – from millions of events to a meaningful, actionable item

Service walkthrough

The Cato MDR portal is where customers handle all requests and activities. The portal includes an online ticketing system, through which all threats are reported, and their remediation status is tracked. We found the portal to be intuitive and self-explanatory; we’re happy to take you through a quick walkthrough:

Once you log into the portal, you’ll be able to view your company’s activities’ detailed status.

View all company activities and requests
View all company activities and requests

For each request category, you can see a summary of all active tickets that include: the ID number of a specific request, the name of the requestor, the time of the last activity performed on the request, and the status of the ticket.

Clicking on any of the requests enabled us to drill down into its specifics. Each threat incident includes the following detailed information:

  • Name and IP of the site on which a threat was discovered.
  • Type and name of threat.
  • Risk level of a specific threat type.
  • Internal/external IP address that is the target of an attack.
  • Domain name that refers to a server’s IP address.
  • Destination port number of a communication channel.
  • Reference and link to Cato’s event discovery (Instant Insight).
  • Action taken by Cato’s SOC team.
  • Further reference to a specific threat or attack.
  • Recommended action for customers to take for removing a threat.
Drill down into any request
Drill down into any request

Cato MDR generates monthly reports that list all previous and ongoing investigations and include an executive summary section, which we found especially beneficial for easily sharing with relevant peers and managers.

Monthly audit reports of all events

Monthly audit reports of all events

Monthly audit reports of all events

Wrap-up

Cato MDR won us (and Cato customers) over with its sophisticated capabilities on the one hand, and easy-to-use portal on the other. But mostly we were impressed by the peace and quiet it provides enterprises and their IT teams. Cato supports Gartner’s four stages of an adaptive security architecture.

Cato’s integrated security stack addresses the Prediction and Prevention stages, and Cato MDR concludes with the remaining stages of Detection and Response.

Cato Cloud
Cato MDR adds Detection and Response to Prediction and Prevention already delivered by Cato Cloud

Big LIKE Cato Networks!

Follow me for more information.

X